Remote CLI access to Ubuntu Linux PC using web browser through authenticated HTTPS

Shellinabox

Lets say you need to access your Ubuntu Linux PC at your home from the other PC behind very restrictive firewall. Lets also say that all you have access to is port 80 (http) and port 443 (https). Lets unlock this situation. Ill show you how to setup Shell In A Box with additional layer of security with Apache2 SSL. Prerequisite for the following guide is that you have fully working Apache 2 installation on you Ubuntu system. If you need instructions for this, you can find them on one of my older posts:

Ubuntu Netbeans and LAMP server with Xdebug as non-root user

In this post I'll mostly give you CLI commands without to much explanation so it is up to you to go trough the procedure and adjust it according to your own setup. Reason for this approach is that the procedure is a bit longer and there could be 10 pages explanation for all of this. Of course I'll give basic explanation for most important commands. So lets get down to business...

Basic HTTPS Shell In A Box

First we download and install Shell In A Box. You can download .deb file for your operating systems architecture here by visition Shell In A Box official page here.

Next thing is to install Shell In A Box:

sudo dpkg -i shellinabox*.deb

Now we need to add a few options to Shell In A Box .conf file:

sudo gedit /etc/default/shellinabox

You need to replace line:

SHELLINABOX_ARGS="--no-beep"

with line:

SHELLINABOX_ARGS="--no-beep --localhost-only --disable-ssl"

Lets enable necessary Apache2 modules:

sudo a2enmod proxy
sudo a2enmod proxy_http
sudo a2enmod ssl

Now we need to copy default Apache 2 SSL virtual host and modify it for our purpose:

sudo cp /etc/apache2/sites-available/default-ssl  /etc/apache2/sites-available/default-ssl-shellinabox
sudo gedit /etc/apache2/sites-available/default-ssl-shellinabox

We need to add following inside <VirtualHost> </VirtualHost> tags:

<Location /shell>
    ProxyPass http://localhost:4200/
    Order allow,deny
    Allow from all
</Location>

Now we enable our new site and restart Shell In A Box and Apache2 services:

sudo a2ensite default-ssl-shellinabox
sudo service shellinabox restart
sudo service apache2 restart
Custom self signed SSL certificate

You can already access your Ubuntu Linux PC shell on the location https://localhost/shell. If you also need additional layer of security using HTTP authentication besides you accounts user name and password, read on. Ubuntu comes with "default" SSL certificate so your https page is working, but the safe bet will be to create custom self signed SSL certificate. This process will require password (make up something complex) you'll need to remember or write down. When process asks you for things like country, name etc. feel free do leave it blank, I do. If you set "Common Name" field to say www.TechyTalk.info, certificate could only be used on www.TechyTalk.info so the best way is to leave everything blank for our "hobby" purpose.

openssl genrsa -des3 -out server.key 4096
openssl req -new -key server.key -out server.csr
openssl x509 -req -days 365 -in server.csr -signkey server.key -out server.crt
openssl rsa -in server.key -out server.key.insecure
mv server.key server.key.secure
mv server.key.insecure server.key
sudo mkdir /etc/apache2/ssl
sudo cp server.crt /etc/apache2/ssl
sudo cp server.key /etc/apache2/ssl/

Now we will adjust our Apache2 virtual host and point it to the SSL certificate we have just created:

sudo gedit /etc/apache2/sites-enabled/default-ssl-shellinabox

Adjust "SSLCertificateFile" and "SSLCertificateKeyFile" lines to the following:

SSLCertificateFile /etc/apache2/ssl/server.crt
SSLCertificateKeyFile /etc/apache2/ssl/server.key

If you don't plan to do HTTP authentication you should restart Apache2, else you can proceed.

sudo service apache2 restart
HTTP authentication

So now our site is using our custom SSL certificate. Next thing is to set HTTP authentication. Intention is to use additional password besides your accounts password to access your PC (you can never be to safe). Here are the commands to make this happen with your additional user name (make sure to replace ##USERNAME## with your username):

sudo htpasswd -c /etc/apache2/.htpasswd ##USERNAME##

Please remember the password you gave to htpasswd because this password will be used for HTTP authentication.

Now we need to modify Apache2 mod proxy .conf file to allow authenticating with ##USERNAME##. Make sure to replace ##USERNAME## with your username.

sudo gedit /etc/apache2/mods-available/proxy.conf

We need to modify it like this:

ProxyRequests Off
<Proxy *>
     AddDefaultCharset off
     AuthUserFile /etc/apache2/.htpasswd
     AuthName EnterPassword
     AuthType Basic
     require user ##USERNAME##
     Order allow,deny
     Allow from all
</Proxy>

Now we restart Apache2:

sudo service apache2 restart

Thats it. Now you go to https://localhost/shell, enter HTTP user name and password, then Ubuntu Linux user name and password and do whatever you want to do on your PC remotely. In addition to this if you connect using ADSL or wireless broadband it is useful to setup something like DynDns so you could access your PC using user friendly doman name.

This post is a bit longer so there's a lot of room for mistakes on my part and yours. So please if something doesn't work comment here sou I could correct any eventual mistakes. Cheers!

DevGenii

E-commerce is a breeze with Magento Certified Developer Plus & Zend Certified PHP Engineer nearby. Get in touch!

9 thoughts on “Remote CLI access to Ubuntu Linux PC using web browser through authenticated HTTPS

  1. Andy

    Hi,
    Thank you for this great tutorial. Worked flawlessly for me other than the part where we download and install the shell in a box. I downloaded/installed it with the deb file from the net search. But all the configurations commands worked without a hitch.

    I was wondering if you have tried a webdav over https as a personal online storage solution, if so can you direct us about that ?

    Reply
    1. Marko Author

      Hello Andy,
      I’m glad you found it useful. About downloading issue, I’ve updated article to reflect some changes on Google Code that hosts the project in question.

      Unfortunately I do not have much experience with webdav so I can’t be of any assistance to you.

      Reply
  2. farid

    hi,
    very good sir..at least i solve my 1 week problem :). BTW can you email me howto access via https://localhost:4200? It said error 102 server refused the connection
    And howto enable root login..currently shellinabox allow user login only.
    I already enable root
    hope you can help me sir…

    Reply
  3. Solly

    Great tutorial, but I’m having an issue. I can’t reach my server from beyond my gateway. I’m fwding outside 443 to the inside server on 4200 but not getting a connection. Firefox is giving

    SSL received a record that exceeded the maximum permissible length.
    (Error code: ssl_error_rx_record_too_long)

    whereas IE and Chrome just say they cannot connect.

    I’m able to get there thru port 80, which is fine since I have the server in a DMZ and nothing important is happening yet but of course I’d prefer SSL now so i can use it later 🙂

    Reply
  4. JorgeRomano

    Hello. this is to access a shell from the job to the home.
    But if we need to reach a shell from home to job?
    for home office porpuses.

    Thank you

    Reply
  5. Ivan

    Hello,

    Thanks for this tutorial, find it only who actually works (among dozen tested configurations ^_^ ) !!!!
    Awesome !!!
    Again, Thank you a lot.

    Reply
  6. Fenrrs

    Thank you sooooo much! I have spent days trying to get a web terminal working and this worked without any problems at all!

    Reply

Leave a Reply

Your email address will not be published. Required fields are marked *